"Ledger wallets generate the displayed receive address using JavaScript code running on the host machine. This means malware can simply replace the code responsible for generating the receive address with its own address, causing all future deposits to be sent to the attacker.
Because recieve addresses are constistently changing as part of the usual activity of the wallet, the user has no trivial way (like recognizing his address) to verify the intrgrity of the recieve address.
As far as he knows, the displayed receive address is his actual receive address"
While there are no reports of the method being used yet, a proof of concept was provided in the study causing Ledger to agree with the findings, and issue the following statement via Twitter:
It's important to note - this cannot be considered a 'security flaw' in Ledger, but rather the risk of plugging a Ledger into a malware infected computer.To mitigate the man in the middle attack vector reported here https://t.co/GFFVUOmlkk (affecting all hardware wallet vendors), always verify your receive address on the device's screen by clicking on the "monitor button" pic.twitter.com/EMjZJu2NDh— Ledger (@LedgerHQ) February 3, 2018
Ledger sold over 1 million hardware wallets in 2017 and is currently the most popular hardware cryptocurrency storage device.
Author: Ross Davis
San Francisco News Desk
No comments
Post a Comment